Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVSFF-001yJz-1k for pgsql-bugs@arkaria.postgresql.org; Fri, 05 Jun 2026 10:57:45 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1wVSFE-00BsXz-1J for pgsql-bugs@arkaria.postgresql.org; Fri, 05 Jun 2026 10:57:44 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1wVSFE-00BsXq-06 for pgsql-bugs@lists.postgresql.org; Fri, 05 Jun 2026 10:57:44 +0000 Received: from mail-ej1-x631.google.com ([2a00:1450:4864:20::631]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.98.2) (envelope-from ) id 1wVSFB-00000001Dy0-3kdf for pgsql-bugs@lists.postgresql.org; Fri, 05 Jun 2026 10:57:43 +0000 Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-bec4ca821acso15745966b.2 for ; Fri, 05 Jun 2026 03:57:41 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780657060; cv=none; d=google.com; s=arc-20240605; b=h8UDiLAZEsfpv5JGY6paW+e3ELsSZZ08vsTYHxzYjM0uYdzH4W8OhgPxQgz8H5U8nO tOkTvNeai9HABO0qJGXwVCl2R93riO3ZBJc3TLwfgyP9PKdERjcdA2Sd9fTliS81HFGd xN24lpyYBCLAvHPUP/QkrB54+r7ynxTMPQbh74LxHnF/a21fBQRg3YE7tVtxFQ6Xzt3G G6VzFr1zuQTsDbeuIZgANrzUsxr9RxkY1aQL+UEcHxQre/JLRuPs+GsbFU4A4IlFrLyR JgUDAi94KdPo9OBMajqhuAzHU9qIAeDYkON7FjGnAIGm5xPZzmrQ2/n0Bd86BvaHKYXa +cKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=7trrTy5b9keK9yBBcb8XUmzKm1UvVTpQTqFmi/eYrPs=; fh=xR/TueBuSDNQlp2+VHblV3YSlibQ94NUBk1wKqCkjaw=; b=d6SC4k7kNQ8EXyGVDzX+m6EIyKnsL5to2Xv7czO4ngHoBAT55Cz9z5CsUS85gIhP7Y fEg/PrZ0aube3JWNHfXd8Iv9EJZKalnXCOdTGcrFcRgc0E3VlQO5zpiN+PaGVUFLLUdY wDwqpTPbq9f5v/hz34TRx6HbxcD+TY5MnRGs8TOR2K6ekRe/ZXSy6pPDG35w28dcN4Rp VYwnDUuf3UhHClQAhTO4xg+OLYq/RvyTEzJKLjhGj8flQ2Kaxyc0LUQ5mvACXmH383r+ XQ0OwEUgMMD9kj3YDJ7xpiwtMGkXJI9n70krHq31fi0YY9NWuh+n4zMJAwsAczp4P51m muLg==; darn=lists.postgresql.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780657060; x=1781261860; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7trrTy5b9keK9yBBcb8XUmzKm1UvVTpQTqFmi/eYrPs=; b=lIBoWx5Dfp6ZFtMbc/pN8LJ5tdX8lICYpMxgw5GuVRhnquZm7xFxuc9j7YVgJyiO6a DZGuEW17tgxz8GiaypLOXAV0V5RfHcr3cLO2PYsIYKYv0tB+utuTjGS5m1b9OhfKY5wj a0faPEE9xTjNocMLNFJPelfFcSD9oaKa1TfLGgSb7Llq4o8Bkn7HKvsLw9Okc4/NX3a4 aaaqE73hve8IdOcxxmNIYoRb+x8swK2V/FiSFjoQ+8XqIHMlK5fFHUNxnIOmii9iJS+L kFMKGpZ4pxKMJrwhz/wvu/MgjUa93niyNc5i/UfwDaTWvWE7peyS1TwDjpZ2ThpbeigM ieUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780657060; x=1781261860; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=7trrTy5b9keK9yBBcb8XUmzKm1UvVTpQTqFmi/eYrPs=; b=CbadNxAySY9wA8h1xkbgxEzluCeQlnKeB6whnUkErK8eiI0o5eFcRtsBk7D4cthR7f DZrOHB/rCT3wdOG4NPo72LFtOarxGO+ufVkjb16cQxek4M7oWyHxGvO96g/jXVUjQMrk +Q0ORm1sCaeGnn9SDvQliJutpH/q+iSxVfw74ewsN/S+MdTGmuzv8AZZaf1HwOe+egyO FzGlLfRX1a+WthDg/WswP1Mi+DOvSV+vncsf+mWsHY9HH4v2y3kAWFDklr408bkLptk9 wP9EFQQ4DRS0fHCdeuzbJme8e8QCJQSAYxVIZAjTH599LsOHH75BDcMADKPSKwRXaGE4 JmLA== X-Forwarded-Encrypted: i=1; AFNElJ8TM4+I7KJ7nl0lKKlYgSrlsthNlg1YhCDY8I1DzQWXWE28cqvdDF0v0yihPol2NsgsuajXcfXjTQKL@lists.postgresql.org X-Gm-Message-State: AOJu0YyYk+MCBU19rzs9usQ4pnxJdzn+FxQt+QmzYX8jP8CHkL7MppD7 UAiK3kIBp3ytkAAaDWogeyFptpNNaTHEQkoX8ZlVIjuIvhCiMMc0N8hchU4s97ur/tu6LHSzj1Y w3mYGyTj1pj+rZBM2nisxetTOHeCJeVTK1gS8fOU= X-Gm-Gg: Acq92OHsoVp+WfH0QEnXoAue8ejpc8P7Blepyqv0vmJP5Gyoc32RmV6CpYGe2v9Z43b aEOmAY6h6/J9eW9isqycZBxNOk7l7R+VX00YoVoD1bsyVi2/G6xV3mtJOzdcZJQvqO/aPJevjkZ 8E2Qwq/mtQC5PzYnJNAwaxJ7q474yYrz18W5NG+q0lSZqH4nkrWZGKJasMJmi1IVlTLhEyrOoaY SM8N16y3JNiDG0rAR+EDRyi3aAfwA2GKX6gYxHx7GC1LAT7Ovdqmu+CjbxZw0GSDvF3KrCUCnnu eJpoRo1+jLUUyxFOPg== X-Received: by 2002:a17:907:28ca:b0:b9b:1963:2ff2 with SMTP id a640c23a62f3a-bf36d2c1748mr57007266b.0.1780657059974; Fri, 05 Jun 2026 03:57:39 -0700 (PDT) MIME-Version: 1.0 References: <19458-a69c98bc498333ba@postgresql.org> <6DE4A9D6-6D5C-41C0-8AFE-F51CFBDDAD5A@yandex-team.ru> <674AEA44-D9C5-423D-B118-693CA130106E@yandex-team.ru> In-Reply-To: From: Nikita Malakhov Date: Fri, 5 Jun 2026 13:57:27 +0300 X-Gm-Features: AVVi8Ce5_FFG7T75TcHhGagHCpPQvHt7hhiFzQgk4oPGIR23FBx0dskczZgQtAU Message-ID: Subject: Re: BUG #19458: OOM killer in jsonb_path_exists_opr (@?) with malformed JSONPath containing non-existent variables To: Andrey Rachitskiy Cc: Amit Langote , Andrey Borodin , PostgreSQL mailing lists , Nikolay Shaplov Content-Type: multipart/alternative; boundary="00000000000086d3ef06537f87fe" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --00000000000086d3ef06537f87fe Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi! Thank you very much for this investigation! I'd take a look into the patch after the weekend. On Fri, Jun 5, 2026 at 1:03=E2=80=AFPM Andrey Rachitskiy wrote: > The growing allocation is leaked temporary JsonValueLists in > executePredicate() (local lseq/rseq, ~1482=E2=80=931547) and the arithmet= ic helpers > executeBinaryArithmExpr() / executeUnaryArithmExpr() (~1561=E2=80=931684)= . Each > nested comparison or arithmetic subexpression materializes operands via > executeItemOptUnwrapResult[NoThrow]() =E2=86=92 executeNextItem() =E2=86= =92 > JsonValueListAppend() (~1165, ~2451), but the interim lists are never fre= ed > before return. For @? specifically, executeJsonPath() also leaks a local > vals list in strict exists mode (~579=E2=80=93586). > > Missing vars make the AFL case worse by returning null instead of error, > so evaluation continues deep into nested $?()/comparisons instead of > stopping at the first $"=E2=80=A6" reference. The same leak mechanism is = reachable > without missing vars =E2=80=94 Tom Lane demonstrated this on master (5a20= 43bf713) > with $[*] ? (@ < $) on a large array. > > Our missing-variable patch fixes the reported OOM and the @? semantics bu= g > by aborting early. Whether REL_14/15/16 also need a broader fix for inter= im > JsonValueList cleanup is beyond what I can confidently propose; I've trie= d > to pin down where the growth happens for that discussion. > > =D0=BF=D1=82, 5 =D0=B8=D1=8E=D0=BD. 2026=E2=80=AF=D0=B3. =D0=B2 13:58, Am= it Langote : > >> Hi, >> >> Before I dig into the patch properly after the weekend, one question >> on the report itself: has anyone traced why the old path runs away on >> memory? We've characterized it as missing-var, then null, then >> evaluation continues, then OOM, but I don't think the actual growing >> allocation has been pinned down. Mostly want to understand whether the >> same runaway is reachable without a missing variable, since raising >> the error early wouldn't catch those cases. >> >> - Thanks, Amit >> > --=20 Regards, Nikita Malakhov Postgres Professional The Russian Postgres Company https://postgrespro.ru/ --00000000000086d3ef06537f87fe Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi!

Thank you very muc= h for this investigation! I'd take a look into the patch after the week= end.

On Fri, Jun 5, 2026 at 1:03=E2=80=AFPM Andr= ey Rachitskiy <pl0h0yp1@gmail.com<= /a>> wrote:
<= div dir=3D"ltr">
The growing allocation is leaked temporary= JsonValueLists in executePredicate() (local lseq/rseq, ~1482=E2=80=931547)= and the arithmetic helpers executeBinaryArithmExpr() / executeUnaryArithmE= xpr() (~1561=E2=80=931684). Each nested comparison or arithmetic subexpress= ion materializes operands via executeItemOptUnwrapResult[NoThrow]() =E2=86= =92 executeNextItem() =E2=86=92 JsonValueListAppend() (~1165, ~2451), but t= he interim lists are never freed before return. For @? specifically, execut= eJsonPath() also leaks a local vals list in strict exists mode (~579=E2=80= =93586).

Missing vars make the AFL case worse by returning null inst= ead of error, so evaluation continues deep into nested $?()/comparisons ins= tead of stopping at the first $"=E2=80=A6" reference. The same le= ak mechanism is reachable without missing vars =E2=80=94 Tom Lane demonstra= ted this on master (5a2043bf713) with $[*] ? (@ < $) on a large array.
Our missing-variable patch fixes the reported OOM and the @? semantic= s bug by aborting early. Whether REL_14/15/16 also need a broader fix for i= nterim JsonValueList cleanup is beyond what I can confidently propose; I= 9;ve tried to pin down where the growth happens for that discussion.

=D0= =BF=D1=82, 5 =D0=B8=D1=8E=D0=BD. 2026=E2=80=AF=D0=B3. =D0=B2 13:58, Amit La= ngote <amit= langote09@gmail.com>:
Hi,

Before I dig into the patch properly after the weekend, one question
on the report itself: has anyone traced why the old path runs away on
memory? We've characterized it as missing-var, then null, then
evaluation continues, then OOM, but I don't think the actual growing allocation has been pinned down. Mostly want to understand whether the
same runaway is reachable without a missing variable, since raising
the error early wouldn't catch those cases.

- Thanks, Amit


--
Regards,
Nikita Malakhov
Postgres Professional
The Russian Postgres Company
https://postgrespro.ru/=
--00000000000086d3ef06537f87fe--